We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Information law update: subject access requests and the dilemma for data controllers

The ability of an individual to require a data controller to provide full details of any personal data held about her is one of the central features of the Data Protection Act 1998 (DPA) – it is regarded by the Information Commissioner as a “fundamental right”.

The DPA sets out a number of exemptions to the right of access and the conventional view has been that, unless one of the exemptions is engaged, the data controller simply has to comply with any subject access request (SAR).

The recent decision in Dawson-Damer and ors v Taylor Wessing and ors[2015] EWHC 2366 (Ch) casts doubt on that conventional view. It suggests that an SAR made with the purpose of obtaining information for use in litigation will be an “abuse” of the DPA with the result that the Court will not compel a data controller to comply with such an SAR. It also suggests that, sometimes, a data controller will not even have to search for information when responding to an SAR. The dilemma for data controllers is whether Dawson-Damer is a decision that they can safely rely on.

Dawson-Damer arose out of dispute between some of the beneficiaries of certain trusts and the Bahamian trust company that administered those trusts. The beneficiaries made SARs to Taylor Wessing (TW), the London solicitors to the trust company. TW declined to provide information in response to the SARs principally because the information it held was subject to a claim for legal professional privilege (lpp) - the privilege being that of the trust company - and as result exempt from disclosure under paragraph 10 of Schedule 7 of the DPA. The beneficiaries applied under section 7(9) DPA for an order requiring TW to comply with the SARs. The application was unsuccessful.

The principal issue the court had to decide in Dawson-Damer was whether the lpp exemption was in fact engaged, and that gave rise to challenging issues about joint privilege, the English law rules relating to disclosure between a trustee and a beneficiary and the equivalent rules under Bahamian law. Applying a purposive approach to the exemption, the court concluded that it was engaged. But what is more interesting, and potentially of broader significance, is the court’s approach to two subsidiary issues.

The first issue was whether TW should have searched the information that it held to see if any of it (as seemed likely) was not subject to lpp. The judge took as his starting point the position that the data controller’s obligation when responding to an SAR is to conduct a “reasonable and proportionate” search and went on to conclude that, in the particular circumstances, it was not reasonable and proportionate for TW to carry out any search at all.

What drove this conclusion was the difficulty, and expense, of distinguishing between lpp and non lpp information – “The question of whether a document was protected by privilege was a matter that required consideration by skilled lawyers. It would accordingly be a very time consuming (and costly) exercise for such lawyers to carry out that task. The claimants had only paid a modest fee (£10 each) for the subject access requests. To expect TW to carry out the work required was neither reasonable nor proportionate”.

Read literally, this could open up a broad new basis on which to avoid providing any information in response to SARs at all – because in very many cases it is in practice time consuming and costly to respond. For example, SARs are often used by ex-employees in dispute with their former employers. Frequently the information that the employer will have to provide in response will include information relating to other individuals. Where that is the case, section 7 DPA requires the employer to get the consent of those other individuals or to determine whether it is reasonable to provide that information without getting that consent. That process will often involve lawyers, will always take time and will certainly cost a lot more than £10. It seems unlikely that the court can have intended to have opened up a wide “get out” from DPA obligations – but the position is far from clear.

The second issue was the relevance of the fact that the SARs were aimed at obtaining information to be used in connection with litigation between the beneficiaries and the trust company in the Bahamas. The judge held that this was not a proper purpose and that this was a reason why, if he was wrong in his ruling on lpp, he still would not have exercised his discretion under section 7(9) DPA to order TW to comply with the SARs.

Again, read literally, this could have an extremely wide impact – SARs are a standard tool used by litigators to obtain information in a very broad range of litigation and if data controllers can be confident that they won’t be compelled by the Courts to respond to SARs where they are being used for that purpose, then there may be some very limited responses being provided.

But can data controllers be confident about what the Courts will do? Probably not – yet anyway. The basis for the judge’s ruling on this point in Dawson-Damer was part of Lord Justice Auld’s judgement in one of the early DPA cases, Durant v FSA [2003] EWCA1746, where he said that the purpose of the DPA not to assist a person “…to obtain discovery of documents that may assist him in litigation or complaints about third parties…”. However, it is striking that in In the Matter of Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch) that very same passage from Auld LJ’s judgment was considered in its full context and it was held that it was “not authority, one way or another, for the proposition that a data controller can refuse to respond to a request under section 7 on the grounds of purpose”.

What is more, it is very difficult to reconcile the Dawson-Damer approach with what was said by Lord Justice Kay in Durham County Council v Dunn [2012] EWCA Civ 1654. In that case solicitors acting for a prospective claimant had given notice of a possible claim and submitted an SAR at the same time. Subsequently proceedings were issued and there was then a dispute – which reached the Court of Appeal - about the adequacy of the disclosure (under CPR Part 31) made by the council. In his judgment Kay LJ referred to the SAR and said: “I do not doubt that a person in the position of the claimant is entitled – before, during or without regard to legal proceedings – to make an access request pursuant to section 7”.

The claimants in Dawson-Damer have been granted permission to appeal and it is to be hoped that any appeal will be heard quickly. As matters stand the decision creates real uncertainty for data controllers about their obligations under the DPA.